CVE-2026-4283
Published: 24 March 2026
Summary
CVE-2026-4283 is a critical-severity Missing Authorization (CWE-862) vulnerability in Wordpress (inferred from references). Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 41.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
AC-3 requires enforcement of approved authorizations on the super-unsubscribe AJAX action to block unauthenticated access and prevent account destruction.
AC-2 establishes account management processes to protect non-administrator user accounts from unauthorized irreversible modifications like password randomization, role stripping, and metadata wiping.
AC-6 least privilege ensures unauthenticated users cannot access destructive functions like super-unsubscribe that bypass email confirmation and anonymize accounts.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability allows unauthenticated exploitation of a public-facing WordPress plugin (T1190) to remove account access by destroying user accounts (T1531) and manipulate stored user data such as usernames, emails, and metadata (T1565.001).
NVD Description
The WP DSGVO Tools (GDPR) plugin for WordPress is vulnerable to unauthorized account destruction in all versions up to, and including, 3.1.38. This is due to the `super-unsubscribe` AJAX action accepting a `process_now` parameter from unauthenticated users, which bypasses the…
more
intended email-confirmation flow and immediately triggers irreversible account anonymization. This makes it possible for unauthenticated attackers to permanently destroy any non-administrator user account (password randomized, username/email overwritten, roles stripped, comments anonymized, sensitive usermeta wiped) by submitting the victim's email address with `process_now=1`. The nonce required for the request is publicly available on any page containing the `[unsubscribe_form]` shortcode.
Deeper analysisAI
CVE-2026-4283 affects the WP DSGVO Tools (GDPR) plugin for WordPress in all versions up to and including 3.1.38. The vulnerability enables unauthorized account destruction due to the `super-unsubscribe` AJAX action, which accepts a `process_now` parameter from unauthenticated users. This bypasses the intended email-confirmation flow and immediately triggers irreversible account anonymization, stemming from a missing authorization check akin to CWE-862 (Missing Authorization).
Unauthenticated attackers can exploit this by submitting a victim's email address along with `process_now=1` via the AJAX endpoint. The required nonce is publicly available on any page containing the `[unsubscribe_form]` shortcode, making exploitation straightforward over the network with low complexity and no privileges needed. Successful attacks permanently destroy non-administrator user accounts by randomizing passwords, overwriting usernames and emails, stripping roles, anonymizing comments, and wiping sensitive usermeta, earning a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H).
References provided by the CVE point to specific vulnerable code locations in the plugin's source, including lines in `class-sp-dsgvo-ajax-action.php` (L69), `class-sp-dsgvo-data-collecter.php` (L250), `unsubscriber.php` (L24), and `unsubscribe-form-action.php` (L39) across tags/3.1.38 and trunk branches on the WordPress plugin trac repository. No explicit patch or mitigation details are detailed in the provided information.
Details
- CWE(s)